The National Security Agency (NSA) and its British counterpart have successfully defeated encryption technologies used by a broad swath of online services, including those provided by Google, Facebook, Microsoft, and Yahoo, according to new reports published by The New York Times, Pro Publica, and The Guardian. The revelations, which include backdoors built into some technologies, raise troubling questions about the security that hundreds of millions of people rely on to keep their most intimate and business-sensitive secrets private in an increasingly networked world.

The reports, published simultaneously by the NYT, Pro Publica, and The Guardian, are based on newly disclosed documents provided by former NSA contractor Edward Snowden. They reveal a highly classified program codenamed Bullrun, which according to the reports relied on a combination of "supercomputers, technical trickery, court orders, and behind-the-scenes persuasion" to undermine basic staples of Internet privacy, including virtual private networks (VPNs) and the widely used secure sockets layer (SSL) and transport layer security (TLS) protocols.

"For the past decade, NSA has led an aggressive, multipronged effort to break widely used Internet encryption technologies," the NYT reported, quoting a 2010 memo describing a briefing of NSA capabilities to employees of the Government Communications Headquarters, or GCHQ. "Cryptanalytic capabilities are now coming online. Vast amounts of encrypted Internet data which have up till now been discarded are now exploitable."

When British analysts were briefed on the success, according to another memo, "those not already briefed were gobsmacked!" the NYT added.

The newly aired documents underscore the difficult balancing act that intelligence agencies must perform when monitoring terrorists and other state enemies. While officials say the ability to decode communications intercepted from suspects is crucial to national security, critics warn that the undermining of widely used encryption technologies could have an unintended boomerang effect that harms US companies and citizens.

"The risk is that when you build a backdoor into systems, you're not the only one to exploit it," Matt Green, a Johns Hopkins professor specializing in cryptography, told the NYT. "Those backdoors could work against US communications, too."

Bruce Schneier, an encryption specialist and fellow at Harvard's Berkman Center for Internet and Society, told The Guardian, "Cryptography forms the basis for trust online. By deliberately undermining online security in a short-sighted effort to eavesdrop, the NSA is undermining the very fabric of the Internet."

Neither report made clear exactly how the intelligence agencies are bypassing VPNs, SSL, and TLS, which are all presumed to provide nearly impenetrable cryptographic assurance when used correctly. But the NYT specifically mentions all three—as well as an unspecified protection used in 4G smartphones—as being the focus of the NSA's most intensive efforts.

Similarly, for three years, the GCHQ looked into ways to decode encrypted traffic from Google, Facebook, Microsoft, and Yahoo. By 2012, the British agency developed "new access opportunities" into Google systems, the paper reported. By 2010, a GCHQ counterencryption program, dubbed Edgehill, aspired or was able—the NYT and The Guardian seem to disagree on this point—to decode VPN traffic for 30 targets and set a goal of an additional 300 by 2015.

The reports also discuss the intelligence agencies working to get Internet companies' help in decrypted traffic by eliciting their voluntary cooperation, forcing their cooperation through court orders, or hacking into their networks to steal encryption keys or surreptitiously alter their software or hardware. Documents provided by Snowden said the NSA spends $250 million per year on a Sigint Enabling Project that "actively engages the US and foreign IT industries to covertly influence and/or overtly leverage their commercial products' designs" to make them exploitable. Earlier this year, the program found ways inside "some of the encryption chips" used by businesses and governments, either by working with chipmakers to insert backdoors or by surreptitiously exploiting existing security flaws, the NYT said.

The paper went on to describe the covert hand NSA agents played in "deliberately weakening the international encryption standards adopted by developers." It cited a goal in a 2013 budget request to "influence policies, standards, and specifications for commercial public key technologies. The report—written by Nicole Perlroth, Jeff Larson, and Scott Shane—said, "Cryptographers have long suspected that the agency planted vulnerabilities in a standard adopted in 2006 by the National Institute of Standards and Technology, the United States’ encryption standards body, and later by the International Organization for Standardization, which has 163 countries as members."

Promoted Comments

... So nice to know that securing our entire economic infrastructure is less important than being able to read my email.

These standards are the bedrock that every single financial transaction on the internet relies on.

If you have any kind of remote access into your work place, say at a bank or a loan company, a game company, or a power plant, these security standards are what make it possible for you to do this securely, without someone else watching and coming in behind you.

Without them being truly secure, we have no ecommerce, we have no remote working, we have no Amazon or Ebay, and the economy of not just the US, but most of the modern world, will crumble.

Yes, that risk is surely worth the benefit of the NSA being able to read our email, right?

What I'm reading here is that the NSA has not gained the capability to attack encryption protocols directly; rather, they've found ways to gain access to the data before or after it is encrypted, or they have gained access to the encryption keys themselves. Further, the methods they use to gain such access are extremely fragile, mainly because they rely on subterfuge and lack of vigilance from their targets.

This is enormously important, because it means those who value their privacy still have the tools to fight back, and even a slight increase in vigilance will be enough to shut the NSA out.

The reports also discuss the intelligence agencies working to get Internet companies' help in decrypted traffic by eliciting their voluntary cooperation, forcing their cooperation through court orders, or hacking into their networks to steal encryption keys or surreptitiously alter their software or hardware. Documents provided by Snowden said the NSA spends $250 million per year on a Sigint Enabling Project that "actively engages the US and foreign IT industries to covertly influence and/or overtly leverage their commercial products' designs" to make them exploitable. Earlier this year, the program found ways inside "some of the encryption chips" used by businesses and governments, either by working with chipmakers to insert back doors or by surreptitiously exploiting existing security flaws, the NYT said.

I'm tentatively thinking that operational decryption of TLS/SSL is about subverting certificate authorities, not about code-breaking. In the Diginotar case, an arbitrary CA issued certs for Google. That was detectable by any user exposed to the public cert and chain, and is widely mitigated by public-key pinning. Decryption and MITM attacks become undetectable and public-key pinning useless if the attacker has copies of the private key, however, which could be supplied by the CA wittingly or unwittingly.

Actually, this is sadly incorrect.

You provide the CA with a Certificate Signature Request, which provides your public key and any other information that they need to sign the public key, the CA never gets your private key.

This compromise seems to require one of the following, getting the private keys from each service they wish to monitor, breaking RSA or AES, breaking SSL separately from RSA or AES, or subverting the standards in question from the start.

I am honestly not sure which in the most frightening, but their budget lines show that they are actively trying the latter.

If you have the root keys you can build the cert chain to man-in-the-middle. You'd impersonate the site to the user and user to the site. You never need the private keys of the site.

But you'd need hardware sitting on the backbone to do the attack fast enough...

237 Reader Comments

If I lived in USA, I would be proud of having a company like NSA. Being able to break so much securities is not something everybody can do.At least, you know the money they spend is not waste. They are pretty efficient at what they are doing.

The NSA also devotes considerable resources to attacking endpoint computers. This kind of thing is done by its TAO – Tailored Access Operations – group. TAO has a menu of exploits it can serve up against your computer – whether you're running Windows, Mac OS, Linux, iOS, or something else – and a variety of tricks to get them on to your computer. Your anti-virus software won't detect them, and you'd have trouble finding them even if you knew where to look. These are hacker tools designed by hackers with an essentially unlimited budget. What I took away from reading the Snowden documents was that if the NSA wants in to your computer, it's in. Period.

What I'm reading here is that the NSA has not gained the capability to attack encryption protocols directly; rather, they've found ways to gain access to the data before or after it is encrypted, or they have gained access to the encryption keys themselves. Further, the methods they use to gain such access are extremely fragile, mainly because they rely on subterfuge and lack of vigilance from their targets.

This is enormously important, because it means those who value their privacy still have the tools to fight back, and even a slight increase in vigilance will be enough to shut the NSA out.

What, do you expect people to read the articles now before commenting?Just because Google sells the keys to the NSA doesn't mean AES is broken.

So as a practical matter, what needs to happen with TLS/SSL standards to make a communication channel impractical for the NSA to decrypt wholesale? When will people start working on this? Do we just need more bits in our keys, or are there deeper structural issues with the PKI cryptographic standards on the Internet?

I think this demonstrates that the PKI is more or less fundamentally broken because it relies on trusting third parties that's very vulnerable to US government bullying (particularly when a lot of the large CAs are US companies!). They've always been a weak spot but when any company in the US appears to have to deal with a very aggressive government willing to use tactics that should land them in jail themselves (lavabit!)...

It also indicates that companies/governments should think and hard about using anything from the US (or presumably aus/nz/canada/the uk as well).

So when "hacktivists" violate security protocols and break into corporate databases and gather data, it's all in the public good, in part because they've shown us just how weak and vulnerable our security methods are. At least, that seems to be the common reaction amongst many in the tech community.

But when a government agency shows us how weak and vulnerable the security protocols we've been relying on for years really are, we're indignant and feel betrayed.

Why are these things different? Why is the government evil and why are the hackers heroes?

So you all thought that putting a crayon-scrawled "keEp oUt" sign on your digital communications meant that no one anywhere on the planet would dare to sniff around? Do you really think the US government is the first and only body to attempt and succeed at this?

If you feel betrayed, then open your eyes and stop being so damn naive. If you're indignant, then write to the standards bodies and ask for real security. And until you get it, don't assume.

I'm actually ok with the idea that the NSA has worked actively to find ways to decrypt traffic on the internet. It's perfectly appropriate for their mission. They need to do that. And the better their understanding of how encryption can be broken, the better their understanding of how we can be protected from foreign interests trying to do the same thing.

What's not ok here is when they actively work to undermine our security. Weakening security protocols, installing backdoors. That is damage that can be exploited by them for their mission, but can also be exploited by anyone else. I didn't find it acceptable to spy on me in order to also spy on bad guys, I certainly don't find it acceptable to take active steps to make me vulnerable to bad guys just to make their job easier.

Quite the opposite, I expect the NSA should be identifying weaknesses in security protocol and patching them up. Ensuring our digital security is an important mission assigned to the NSA which they have not just neglected but have actively betrayed.

Hypothetically for example if every server processor manufactured by a large semiconductor company in the last 10 years had such a "feature", would China keep buying them? My guess is at the very least the Chinese government would ban all future orders (at least for some uses), and look to rapidly remove and isolate such systems, and many other countries would act similarly.

I honestly think we might see such a revelation soon, and it could be terminal for companies involved.

Well, one of the reasons the US tells companies not to buy Huawei is because it is generally assumed the Chinese government has installed backdoors for monitoring and intercepting traffic. Turns out they had good reason to suspect Huawei: the US government was busy installing their own backdoors on all that Cisco and Juniper gear and figured "everyone does it" is a good excuse.

What I'm reading here is that the NSA has not gained the capability to attack encryption protocols directly; rather, they've found ways to gain access to the data before or after it is encrypted, or they have gained access to the encryption keys themselves. Further, the methods they use to gain such access are extremely fragile, mainly because they rely on subterfuge and lack of vigilance from their targets.

This is enormously important, because it means those who value their privacy still have the tools to fight back, and even a slight increase in vigilance will be enough to shut the NSA out.

What, do you expect people to read the articles now before commenting?Just because Google sells the keys to the NSA doesn't mean AES is broken.

It's worse actually. If AES were broken, everyone would stop using it. If you compromise the CAs but all of academia can't so much as dent AES, then PKI is a sham that we trust.

It might take longer than the age of the universe to brute force one private key, but it takes a few NSLs to compromise the vast majority.

To apply okham's razor; what is more likely, that we've improved computing power by a factor of trillions, or that as always, the humans are the easiest attack vector.

That's not even conspiracy thinking. The options are we've made a leap in computing that makes Star Trek tech look like an abacus or we realized we still are violent apes capable of violent ape behavior.

To be honest I am confused what people thought the NSA did. I always assumed they worked on being able to break security. That is one of their primary purposes.

Spying on Americans is not their job. Breaking cryptography and security systems so enemies can be exploited and we can be more secure.

But that's exactly the point: They've broken cryptography and security systems, *so that they can spy on Americans*.

The real world isn't the movie Sneakers.

In Sneakers, the big reveal at the end is that the crypto-cracking chip only works on US crypto standards; that it would only be useful for spying on Americans. That it has no benign, foreigner-spying purpose.

But that's not how reality works. In reality, the same crypto primitives are used by basically everyone. Anything that lets the US spy on its enemies lets it equally spy on its own people. Even when the specific algorithms are different (for example, Americans used DES when Russians used GOST), the basic design and concepts tend to be very similar. The NSA may have broken cryptographic and security systems (though Schenier's pieces makes me believe that there's no general-purpose attacks on any common crypto), and that may enable them to spy on Americans, but that's inevitable if they also want to spy on hostile foreigners.

My question is, who does this work? Who figures something out and says, "fantastic, by allowing governments to secretly access the [Facebook/Google/Yahoo/etc] data of anyone in the world, I've truly done something good today."

If I lived in USA, I would be proud of having a company like NSA. Being able to break so much securities is not something everybody can do.At least, you know the money they spend is not waste. They are pretty efficient at what they are doing.

If I lived in USA, I would be proud of having a company like NSA. Being able to break so much securities is not something everybody can do.At least, you know the money they spend is not waste. They are pretty efficient at what they are doing.

You don't sound like an American, that's for sure.

He doesn't sound German either.

What I meant by that comment is that Americans take their Constitutional rights deadly seriously. Very few Americans will be "proud" about the technical achievement of defeating security and privacy on the internet, and potentially (ha ha) undermining their rights.

So, here is a question. What percentage of the accidental backdoors that have been found in Windows, Java and Adobe products are programming flaws, and what percentage are planted backdoors for the alphabet agencies?

I know it wouldn't be a large percentage, but the main question should be: is it greater then 0%?

This is why declaring wars on various activity is never a good idea. The War on Drugs™ devastated an entire race of Americans who would rather smoke pot over consuming alcohol. The War on Poverty™ created a dependent class. Now the War on Terror™ breaks security in order to save it.

"The moment war is declared, however, the mass of the people, through some spiritual alchemy, become convinced that they have willed and executed the deed themselves. They then, with the exception of a few malcontents, proceed to allow themselves to be regimented, coerced, deranged in all the environments of their lives, and turned into a solid manufactory of destruction toward whatever other people may have, in the appointed scheme of things, come within the range of the Government's disapprobation. The citizen throws off his contempt and indifference to Government, identifies himself with its purposes, revives all his military memories and symbols, and the State once more walks, an august presence, through the imaginations of men. Patriotism becomes the dominant feeling, and produces immediately that intense and hopeless confusion between the relations which the individual bears and should bear toward the society of which he is a part."

Excerpt from "War is the Health of the State" by Randolph Bourne (1918), who is a much better writer than I.

If you are "under attack" then you can bring legal action (not against the government, but perhaps against the private standards body), but you must first show harm. Have you actually been harmed by this security breach?

What if the taxes you pay, the taxes that went into this program, are actually being used to protect you? Can you show that they're not?

We've been living with the aftershocks of the Snowden revelations for what, months now? And in all that time, with all that's been revealed, I've yet to hear someone, anyone, stand up and say "Oh, now I know why "x" happened to me. Now I understand why that harm occurred to me "y" years ago. The government was doing it to me all along. This all explains it."

Remember the Android bug in all versions which messed up the Random Generator just enough to make it possible to break all (asymetric) encryption done on the device without someone noticing? How it was only found because criminals were able to exploit it?Oh wait, wrong thread, this is about the NSA paying companies to put in backdoors in their hardware/software.

But honestly, I would be willing to bet that a good chunk of such bugs are not so much bugged after all. I know errors easily happen when working on crypto, but some types of errors are just too well placed imho.

So when "hacktivists" violate security protocols and break into corporate databases and gather data, it's all in the public good, in part because they've shown us just how weak and vulnerable our security methods are. At least, that seems to be the common reaction amongst many in the tech community.

But when a government agency shows us how weak and vulnerable the security protocols we've been relying on for years really are, we're indignant and feel betrayed.

Why are these things different? Why is the government evil and why are the hackers heroes?

So you all thought that putting a crayon-scrawled "keEp oUt" sign on your digital communications meant that no one anywhere on the planet would dare to sniff around? Do you really think the US government is the first and only body to attempt and succeed at this?

If you feel betrayed, then open your eyes and stop being so damn naive. If you're indignant, then write to the standards bodies and ask for real security. And until you get it, don't assume.

Why these things are different is because we expect thieves to try and rob us. We don't expect to find ourselves under attack from the very government we elect and finance with our tax dollars. And on a related note, the Romainian script kiddies don't have a $250 million annual budget to put into developing better ways to get into our shorts, like our government apparently does.

And by the way, no one ever thought properly used encryption was the equivalent of a crayon sign, because we believed the people we are supposed to be able to trust, and they lied to us.

If you are "under attack" then you can bring legal action (not against the government, but perhaps against the private standards body), but you must first show harm. Have you actually been harmed by this security breach?

What if the taxes you pay, the taxes that went into this program, are actually being used to protect you? Can you show that they're not?

We've been living with the aftershocks of the Snowden revelations for what, months now? And in all that time, with all that's been revealed, I've yet to hear someone, anyone, stand up and say "Oh, now I know why "x" happened to me. Now I understand why that harm occurred to me "y" years ago. The government was doing it to me all along. This all explains it."

Nothing. Nothing like that at all. Haven't heard a single thing.

Why not?

That reminds me of the comment by Saxby Chambliss when the first article ran in the Guardian revealing the phone metadata feeds, he said something like "I've had zero complaints from my constituents on the program".

Well, considering it was top secret and everybody who did know had a gag order and could not mention it, it's pretty absurd to make that statement. So far it has resulted in several internet privacy business throwing in the towel, and there will be more fallout as people realize everything they say will be monitored. The ensuing silence of the paranoid subjects of this brave new world will be deafening.

I sure hope that doesn't mean AES-NI is vulnerable. I think it's about time we demanded open source hardware in addition to open source software.

Don't use the key generation function and you're safe probably. It would be more interesting however if they put a backdoor not in the AES-NI functions but in TXT, Secure Boot, AMT, vPro,.... that would be a big problem....full unrestrcted low level access, under the OS.... but if someone leak this backdoor, Intel and almost everybody in the word would be in big trouble...

They've broken cryptography and security systems to find threats, without a good ability to separate traffic from Americans and non-Americans, which they consider to be good enough.

At this point, I doubt detecting threats is a major consideration for this. This endangers orders of magnitude more lives on all sides then it could potentially save. What it does is allow them greater power and control over foreign and domestic targets.

Every company I've ever worked for that sat on a standards body has pushed their own agenda when it came time to create or propose revisions to a standard. I have no idea why the government would not do the same.

No, hacktivists just break into systems by working around the security that's already there. And I've never heard any of them blame the government for the security being deliberately weak.

ARPAnet, developed by ARPA, later called DARPA, a part of the US Department of Defense, was the initial form of the modern day internet.

Read that and tell me with a straight face that its benefactors didn't have exactly this sort of thing in mind for its future. Okay, maybe not initially, but after proof-of-concept maybe.

The initial stated intent was to provide a decentralized means of communications in case major public communications were disrupted by war. However opening it up to everyone does provide a slick way of introducing big brother. Not saying I agree with your reasoning, but we both got to the same place in the end.

What I'm reading here is that the NSA has not gained the capability to attack encryption protocols directly; rather, they've found ways to gain access to the data before or after it is encrypted, or they have gained access to the encryption keys themselves. Further, the methods they use to gain such access are extremely fragile, mainly because they rely on subterfuge and lack of vigilance from their targets.

This is enormously important, because it means those who value their privacy still have the tools to fight back, and even a slight increase in vigilance will be enough to shut the NSA out.

What, do you expect people to read the articles now before commenting?Just because Google sells the keys to the NSA doesn't mean AES is broken.

It's worse actually. If AES were broken, everyone would stop using it. If you compromise the CAs but all of academia can't so much as dent AES, then PKI is a sham that we trust.

It might take longer than the age of the universe to brute force one private key, but it takes a few NSLs to compromise the vast majority.

To apply okham's razor; what is more likely, that we've improved computing power by a factor of trillions, or that as always, the humans are the easiest attack vector.

That's not even conspiracy thinking. The options are we've made a leap in computing that makes Star Trek tech look like an abacus or we realized we still are violent apes capable of violent ape behavior.

Good point. Moving outside the US is just a short term solution, in that case.

To be honest I am confused what people thought the NSA did. I always assumed they worked on being able to break security. That is one of their primary purposes.

Spying on Americans is not their job. Breaking cryptography and security systems so enemies can be exploited and we can be more secure.

But that's exactly the point: They've broken cryptography and security systems, *so that they can spy on Americans*.

The real world isn't the movie Sneakers.

In Sneakers, the big reveal at the end is that the crypto-cracking chip only works on US crypto standards; that it would only be useful for spying on Americans. That it has no benign, foreigner-spying purpose.

But that's not how reality works. In reality, the same crypto primitives are used by basically everyone. Anything that lets the US spy on its enemies lets it equally spy on its own people. Even when the specific algorithms are different (for example, Americans used DES when Russians used GOST), the basic design and concepts tend to be very similar. The NSA may have broken cryptographic and security systems (though Schenier's pieces makes me believe that there's no general-purpose attacks on any common crypto), and that may enable them to spy on Americans, but that's inevitable if they also want to spy on hostile foreigners.

Inserting backdoors is another matter entirely, mind you.

And yet, is there really anyone at this point who really believes the NSA cares if the person they want to spy on is American? In the event someone they are interested is, and they know they are American, they'll just spy on them anyway and claim it was an accident. Like the time I accidentally smoked pot because I uh... thought it was Oregano. That's the story I'll go with.

The War on Drugs™ devastated an entire race of Americans who would rather smoke pot over consuming alcohol.

That's the gentrified view. The people you are referring to actually love alcohol. (You should see the traffic at the local corner liquor store after 5 PM). And by the way, they generally get themselves arrested by dealing or some other form of illegal stupidity with stuff in da pockets -not consumption.

I'm a long time Ars reader, but I'm compelled to post for the first time.

I want to let people here know about the FreedomBox program. It's a decentralized, privacy and security conscious communications and storage program that runs on plug computers. Freedombox assumes that centralized security structures such as certificate authorities have been compromised. GPG keys take the place of certificates and are used for identification and communication.

It was inspired by Eben Moglen and it's being implemented by Bdale Garbee and others are part of Debian. They're always looking for more programmers and security experts to build a secure program, as doing something like this is very tricky.